top | item 46269963

(no title)

pypt | 2 months ago

I'm building https://aero.zip, an E2E encrypted, resumable file transfer tool (think WeTransfer but encrypted and not P2P). I just posted it to Show HN:

https://news.ycombinator.com/item?id=46262540

A few technical details I enjoyed working on:

* Streaming ZIP: To allow downloading multiple files as a single archive without buffering, I implemented a custom streaming ZIP64 archiver. A Service Worker intercepts the request, fetches encrypted chunks, decrypts them, and constructs the ZIP stream on the fly in the browser.

* OPAQUE auth: I used the OPAQUE protocol (via serenity-kit) for the password-authenticated key exchange. It ensures the server never learns the password and protects weak passwords against offline attacks if the DB leaks.

* Passkey PRF auth: If your passkey provider supports PRF (like iCloud Keychain or Windows Hello), the app derives the data encryption key directly from the passkey, allowing a login flow that doesn't require entering a master password.

discuss

hamiecod|2 months ago

How is it different from croc?

pypt|2 months ago

From what I understand, croc is P2P, i.e. both computers have to be on for the transfer to happen (the "relay" that they mention only helps negotiate the connection between two peers). With aero.zip, you upload your files to a server, and the recipient can download it whenever - either real-time while you're still uploading them (imitating the P2P/croc model), or at a later date. This is a more universal approach IMHO.

Also, aero.zip is a webapp, i.e. there's nothing to install, and you don't even need to sign up to send small files. Meanwhile, croc is a CLI utility which will be hard to use by mom-and-pop users.